OpenDNS family shield

[tigersaw]

I'm under pressure to provide wireless access for the staff at work, (for use of their personal phones, laptops etc during rest breaks) but I want to try and avoid any abuse of the facility and keep it legal.
Everyone has access to corporate machines, but they are soooo slow and the log-on takes minutes at a time, what with the whole building linked to corporate servers through vpn and a 2mb link. (It was originally only intended to run SAP and company web pages).

A simple wireless router would cover the areas required, but most likely leak beyond too.

Since we are close to a public area, I thought that I could use MAC filtering along with password to prevent staff giving access to other users in adjacent buildings (there is a fire station, police, terminal building, public areas etc all hungry for internet access), so long as typing in all the numbers into the router does not get too tedious - I dont want to put much time into this as its really outside my remit.

The other thing I've stumbled across is OpenDNS family shield - it looks like all I have to do is change the primary and seconday DNS addresses in the router to 208.67.222.123 and it will no longer resolve dodgy sites. Sounds a wonderful free service that would prevent the majority tech non-savvy from causing embarrasment, anyone heard of it?

Hi,

Would the MAC filter not be a admin nightmare. How many staff do you have and remember that they may also have more that one device.

can you not set up the router to go through a proxy and give each individual a username and password and also remember to update the electronic coms policy to include the wifi access.

personally unless you have major issues with 3/4g reception i would push back on granting access as it will open up a whole pile of poop as some smart a$$ will find a way around what you put in place and then it's porn all the way for them if your lucky.

[tigersaw]

Quote:

Originally Posted by Davadvice

Hi,

Would the MAC filter not be a admin nightmare. How many staff do you have and remember that they may also have more that one device.

can you not set up the router to go through a proxy and give each individual a username and password and also remember to update the electronic coms policy to include the wifi access.

personally unless you have major issues with 3/4g reception i would push back on granting access as it will open up a whole pile of poop as some smart a$$ will find a way around what you put in place and then it's porn all the way for them if your lucky.

I agree. There would be about 30 staff with say 2 devices, and then I can imagine management wanting to give guests occasional access too.
I dont want to get involved with buying extra hardware and administering it either, I've better things to do. However, if I can find a fit and forget solution that will only cost a few man hours and minimal upkeep I'd offer it.

Can't you override the routers dns settings on your device?


Then again you could also use a proxy so I guess nothing's completely safe

[tigersaw]

Quote:

Originally Posted by Spank86

Can't you override the routers dns settings on your device?


Then again you could also use a proxy so I guess nothing's completely safe

I've no idea - no-one would have access to the wireless router and it would be password protected, but if someone were to type the actual ip address of a site rather than its name then that would bypass, but we are talking about a largely trustworthy and IT non savvy workforce.

Separate the wireless so its on a different vlan. Use a captive portal server to manage authentication (similar to what you use in pubs now a days - with the login webpage).
Captive portal forwards any authentication requests to your Active Directory (or other authentication method).

You need to remember security is key, so spend the additional time on setting up a proper system. Its your head that will roll if security is breached.

[tigersaw]

Quote:

Originally Posted by a_monkey_hint

Separate the wireless so its on a different vlan. Use a captive portal server to manage authentication (similar to what you use in pubs now a days - with the login webpage).
Captive portal forwards any authentication requests to your Active Directory (or other authentication method).

You need to remember security is key, so spend the additional time on setting up a proper system. Its your head that will roll if security is breached.

umm that not in my language sorry.
I'll distance myself from any liability - I'll just set something up and hand responsibility over.
The only reason its been dumped on my door is I run the engineering department and management think we do everything from fixing flat tyres to providing 4G consulation to the government

Quote:

Originally Posted by tigersaw

umm that not in my language sorry.
I'll distance myself from any liability - I'll just set something up and hand responsibility over.
The only reason its been dumped on my door is I run the engineering department and management think we do everything from fixing flat tyres to providing 4G consulation to the government

I'll try and explain best I can (in non-IT speak!).

VLAN = Virtual LAN (Local Area Network). This effectively gives you two separate networks using the same infrastructure (network equipment). Exactly what you want - your wired traffic and your wireless traffic using the same equipment. This basically stops wireless traffic from accessing areas of your network you don't want them to (storage servers, workstations etc for example).

Once you've separated your wireless network from your main wired traffic, you need a captive portal. A captive portal effectively tells any wireless traffic "you must come here before you can do anything else" This is a webpage. This web page will ask for some form of authentication (username or password for example). If you supply correct credentials, it will then allow you do go about your business. If you fail authentication, it will not allow you further. You will need a separate PC to do this (with two network cards).

Have a look at the following captive portal https://www.untangle.com/

Its free, I've never used it (as we paid for our captive portal at work), but I've heard it is very very good and very easy to setup.

Untange also has a proxy (a means of restricting web content) built in, which could be useful in your situation.

Hope this helps.

[tigersaw]

Thanks, I understood that better
Thing is, I'll just get BT to put in a new circuit (or have internet added to one of the spares I have) so it will be fully isolated from anything that already exists in the building.

[DJ123]

get a decent router that has block filters on it, Draytek do these. Great bits of kits that are used commercially and in Academic environments.
Something like this http://www.draytek.co.uk/products/vigor2830.html